IN PROGRESS: firehose: an interchange format so we can capture results from all static analyzers in a consistent format. This consists of:

an XML serialization format (with a RELAX NG schema)

a Python module for in-memory creation/manipulation

parsers for converting analysis results into the common format:

DONE: gcc warnings

DONE: cppcheck warnings (v2 of its XML output format)

DONE: clang-static-analyzer (the .plist output format)

IN PROGRESS(dmalcolm): cpychecker warnings (patching cpychecker so that internally it uses the above python API's classes)

others?

handle analyzer failures (where an analyzer choked and all or part of a source file failed; nice to capture where the failure happened).

IN PROGRESS(dmalcolm): mock-with-analysis (need better name?): a way of doing a mock rebuild of a src.rpm with minimal effect on the main build, whilst injects a side-effect of running static analyzers on each c/c++ file compiled (other languages?), and drops firehose XML files into the chroot as results as it goes, so that they can be slurped into a database

IN PROGRESS(dmalcolm): gccinvocation: a Python module for parsing GCC command lines, for use by mock-with-analysis

TODO: make all of the above more robust

TODO: "firehose-ui": a db and web UI for summarizing reviewing results from many analyzers across many packages, with nice workflows

TODO: gluing all of the above together and deploying it.

having a team that comes up with filters that achieve a decent signal:noise ratio, so that J Random package maintainer doesn't have to wade through so much noise

Tasks seeking volunteers

C/C++ Hackers

Patching cppcheck so that it provides richer output. Specifically, we're using version 2 of the XML format. We'd like it to emit the name of the function in which each problem is found (rather than just the line number), since this will make it easier to find duplicate error reports across runs of the tool

Patching cppcheck to add CWE codes to the errors. sgrubb did some work on this in the past, but it didn't get as far as an upstream patch

Patching clang-analyzer so that it provides richer output (to make it easier to find duplicate error reports across runs of the tool). Specifically, we're using the plist format. We'd like it to emit:

the name of the function in which each problem is found (rather than just the line number)

the internal ID of the test that found the problem (e.g. "core.AttributeNonNull")

Python web developers

Building a web UI for all of this.

Python developers

Making mock-with-analysis more robust

Packagers

Packaging "firehose" (as python-firehose)

Packaging "gccinvocation" (as python-gccinvocation)

Packaging "mock-with-analysis"

Testing "mock-with-analysis" on your own packages (expect breakage for now!)